Five questions for John Black

A love of mathematics and the knowledge that there aren’t many jobs that allow someone “to just do math” propelled John Black toward a career in cryptography – the study and practice of secure communications.

“I’ve always loved math; it’s a way to explore nature but is not obscured by subjectivity. It’s very pure,” Black says. “Cryptology is a way that I can do math that’s applied to something that people care about.”

He grew up in Oakland but slowly began “migrating east.” He earned his Ph.D. at the University of California, Davis, and then worked as an assistant professor at the University of Nevada, Reno. He came to the University of Colorado Boulder in 2002 and is an associate professor of computer science. “I can’t go any farther east or I’d run out of mountains. And that’s non-negotiable.”

Teaching and research give him the flexibility to choose his interests and to work with bright, young people. If he could, he’d skip the grade-giving duty. When he’s not in front of a computer, you might find him hiking – “like everyone else in Boulder, it’s probably my favorite thing to do” – reading or rock climbing.

1. There have been a lot of “hacking” incidents in the news lately, including accusations that China hacked into some U.S. sites. First, explain how encryption (encoded messaging) works, and second, are there degrees of “secure”?

There are a lot of options when it comes to how you encrypt things. Most of the world uses the same set of algorithms, although some use bigger numbers to get added security. Cryptography is only one ingredient in the overall formula for security, and usually it is one of the stronger ones so people don’t normally focus on that piece. The analogy that’s often made is: Trying to hack into a secure system is like trying to break into a grass hut that has an iron door. You wouldn’t go through the iron door; you’d go through the grass wall instead. So if you want to break into a computer system and steal information, attacking the cryptography is probably not a good idea. It’s a very difficult way to succeed and there are other, easier ways to get in. The most effective way to defeat a security system is through social engineering, which is where you exploit the human element. We don’t know how to effectively combat those attacks.

One of the most famous social engineering attacks occurred when someone mapped out a company’s organizational chart and figured out the relationships between employees. Then they crafted emails that looked like they came from another person in the company. The human response was to trust the email because it looked legitimate, and someone gave up an internal password. Everything crumbled after that.

Passwords aren’t very effective, but in the commercial sector, companies are motivated by what consumers are willing to adopt. If they make it too onerous, then people won’t use their product or service, so we’re still stuck with passwords, which are a terrible way to authenticate somebody. There are risks with using passwords, so companies have to be able to absorb the resulting costs from fraud and theft. In other words, they pass the costs back to you. Of course, if the problem gets so severe it becomes impractical to continue this way, we’re going to have to do something else for authentication. You can use biometrics, which identifies humans by certain characteristics such as fingerprints, to strengthen security. In high security contexts, they already do these kinds of things.

2. What are some of your current research interests?

We’ve looked at hacking into certain Internet services and at breaking encryption protocols and creating new encryption protocols. Lately, I’ve been looking at how to teach security and cryptology to students using a game-like approach where the whole class is a game. It’s really fun for me and the students and has been very popular. The more motivated and excited you are, the better you learn, so this is an exciting thing to do on the education side.

I’ve also been doing something called quantum computing, which is a way of looking at building a new kind of computer that uses quantum properties to perform computation. These computers don’t really exist yet, but if they did, they would break most of the cryptology that we use. I did a sabbatical last year at the University of California, Santa Barbara, and worked with a team involved in quantum computers. I still have some ongoing work with them.

For example, RSA cryptography is security that is based on the presumed difficulty of factoring a big number into two smaller prime numbers. The best-known algorithms slowly get better every few years and computers get faster every year. So there’s the constant pressure of progress pushing up against this problem. We’ve made the numbers bigger and bigger and that’s worked so far. But quantum computers will blow that out of the water. A lot of money is being poured into research, mostly by our government. Cryptographers will respond by coming up with new systems that don’t succumb to this attack so it’s a continuing evolution of technology.

3. You teach a class titled “Ethical Hacking.” What is ethical hacking and what do students learn in the class?

Hacking in the mainstream media means breaking into things, but to most computer scientists, it means you’re good at playing with computers. You understand them at a deep level; you enjoy tinkering, exploring and experimenting. The class really is about getting down into the details of computers and trying to solve problems in a security context. The main activity of the class is, in fact, breaking into things. Of course we don’t do this to real systems. We set up a sandbox environment that deliberately has computer services with weaknesses built in. We let students try to break in using all kinds of tools we provide, or sometimes, we don’t provide the tools and they have to figure it out. They have to build a set of skills that helps them penetrate security systems and break into machines.

It’s ethical because we only do this to certain machines, and we also talk about when it’s appropriate to use these skills. There have been some objections to this class. People ask, “Why are you teaching students to break into computers?” My response is that you can’t teach an FBI agent how to defend against terrorism without telling him or her how terrorists operate. So that’s sort of the object of the class. If you are going to defend against cyberattacks, you have to understand how cyberattacks are conducted. There also is something called penetration testing, which is a service offered by some companies. They will break into your computer system with an agreement not to do harm so you know where your vulnerabilities lie. It’s a very common service provided in the corporate world. So by teaching these attack techniques, we’re also preparing students for a career in penetration testing.

4. We rely more and more on cybersystems to run everything from power plants to hospitals, and the Obama administration has called for more efforts to strengthen cybersecurity to repel attacks. Is this the future?

Every day society is moving more toward automation and it’s not going to reverse. We’re already seeing warfare conducted in cyberspace. We saw Stuxnet, a computer virus that attacked Iran’s nuclear program and supposedly was created by the U.S. and Israel. If I wanted to try to predict the future, I would say that a lot of warfare will be converted from a physical modality to online, to computer-based warfare. So you can imagine a future where warfare largely is conducted via cyberattack and cyberdefense.

5. You have won a variety of awards including teaching awards and a National Science Foundation Career Award. You also list on your CV this award: A Check for $2.56 from Don Knuth, 1996.

Don Knuth is one of the most highly regarded computer scientists in history. He published a series of beautiful books that are very well-known in computer science. He’s a perfectionist and would offer a monetary reward for anyone who could find an error in his books. The amount of the reward changed over time, but it settled at $2.56 because that’s one hexadecimal dollar. He’s issued some 2,000 of these checks over the last 30 or 40 years, and apparently almost none of them gets cashed. The check is kind of like a badge of honor because it’s really hard to find errors in the books. So people who get these things often frame them, and in fact, I did the same thing. He stopped issuing actual checks in 2008. It’s something you can’t get anymore, so it’s pretty cool. It’s a prized thing in computerdom.